docker-compose.yml

services:
  nist-sp800-22:
    image:  ghcr.io/ammannchristian/nist-sp800-22-rev1a:latest
    container_name: nist-sp800-22
    ports:
      - "$GRPC_PORT:$GRPC_PORT"
      - "$METRICS_PORT:$METRICS_PORT"
    environment:
      - GRPC_PORT=$GRPC_PORT
      - METRICS_PORT=$METRICS_PORT
      - LOG_LEVEL=$LOG_LEVEL
      - AUTH_ENABLED=${AUTH_ENABLED:-false}
      - AUTH_ISSUER=${AUTH_ISSUER:-}
      - AUTH_AUDIENCE=${AUTH_AUDIENCE:-}
      # Token validation mode: jwt | opaque
      - AUTH_TOKEN_TYPE=${AUTH_TOKEN_TYPE:-jwt}
      # JWT mode
      - AUTH_JWKS_URL=${AUTH_JWKS_URL:-}
      # Opaque mode (RFC 7662 introspection)
      - AUTH_INTROSPECTION_URL=${AUTH_INTROSPECTION_URL:-}
      - AUTH_INTROSPECTION_AUTH_METHOD=${AUTH_INTROSPECTION_AUTH_METHOD:-client_secret_basic}
      - AUTH_INTROSPECTION_CLIENT_ID=${AUTH_INTROSPECTION_CLIENT_ID:-}
      - AUTH_INTROSPECTION_CLIENT_SECRET=${AUTH_INTROSPECTION_CLIENT_SECRET:-}
      - AUTH_INTROSPECTION_PRIVATE_KEY=${AUTH_INTROSPECTION_PRIVATE_KEY:-}
      - AUTH_INTROSPECTION_PRIVATE_KEY_FILE=${AUTH_INTROSPECTION_PRIVATE_KEY_FILE:-}
      - AUTH_INTROSPECTION_PRIVATE_KEY_JWT_KID=${AUTH_INTROSPECTION_PRIVATE_KEY_JWT_KID:-}
      - AUTH_INTROSPECTION_PRIVATE_KEY_JWT_ALG=${AUTH_INTROSPECTION_PRIVATE_KEY_JWT_ALG:-}
      - TLS_ENABLED=${TLS_ENABLED:-false}
      - TLS_CERT_FILE=${TLS_CERT_FILE:-}
      - TLS_KEY_FILE=${TLS_KEY_FILE:-}
      - TLS_CA_FILE=${TLS_CA_FILE:-}
      - TLS_CLIENT_AUTH=${TLS_CLIENT_AUTH:-none}
      - TLS_MIN_VERSION=${TLS_MIN_VERSION:-1.2}
    healthcheck:
      test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:$METRICS_PORT/health"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 5s
    restart: unless-stopped
    networks:
      - nist-net
    deploy:
      resources:
        limits:
          cpus: '2.0'
          memory: 2G
        reservations:
          cpus: '0.5'
          memory: 256M

networks:
  nist-net:
    driver: bridge